Skip to content

Custom GitHub runners bs #1962

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
samrose wants to merge 71 commits into
base: develop
Choose a base branch
from
Draft

Custom GitHub runners bs #1962

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
71 commits
Select commit Hold shift + click to select a range
35bc0a2
chores(ci): opted-out nix-fast-build
yvan-sraka Jul 22, 2025
81834ab
chores(ci): set up nix-github-actions
yvan-sraka Jul 24, 2025
97f2d72
chores(ci): comment out vestigal testinfra-ami-build
yvan-sraka Aug 11, 2025
777ebc0
chores(ci): use custom github runners
yvan-sraka Aug 11, 2025
82ed2f5
chores(ci): use nix-eval-jobs and sets AWS creds to /etc/nix/aws
yvan-sraka Sep 29, 2025
ecf0b4e
feat(ci): do not build if already cached
jfroche Sep 29, 2025
0054326
chore: improve reproducibility of postgresql builds
jfroche Sep 29, 2025
02ecbc5
chore: remove nix-github-actions dependency
jfroche Sep 29, 2025
12a3bad
feat(ci): split nix build workflow into separate extensions and check…
jfroche Sep 30, 2025
cb09c1b
feat(ci): extract nix build setup into reusable action and split buil…
jfroche Sep 30, 2025
c8edd1d
fix(ci): do not hide cached builds
jfroche Sep 30, 2025
d1217f2
Revert "fix(ci): do not hide cached builds"
jfroche Sep 30, 2025
3ba1801
chore: Temporarily disable x86_64-linux builds
jfroche Sep 30, 2025
155165f
fix: sort packages and filter out cached ones
jfroche Sep 30, 2025
d2054e0
fix: do not skip checks-matrix if dependencies are skipped
jfroche Sep 30, 2025
1bc9b17
fix: do not return debug fields in GitHub Actions matrix output
jfroche Sep 30, 2025
6f86ed4
debugging
jfroche Sep 30, 2025
b8124bf
fix(ci): use !cancelled() instead of always() for dependent job condi…
jfroche Oct 2, 2025
479ab0f
fix(ci): stop chaining aws roles
jfroche Oct 2, 2025
3467170
ci: run nixos test on aarch64-linux
jfroche Oct 2, 2025
5c6801e
fix(ci): disable eval-cache and accept-flake-config
jfroche Oct 2, 2025
fc722b6
ci: split checks build jobs by system architecture
jfroche Oct 2, 2025
24981df
fix(ci): use correct architecture name in aarch64-linux builds
jfroche Oct 3, 2025
152c07a
fix(ci): do not try to build already cached checks
jfroche Oct 3, 2025
cd829fb
fix(ci): simplify GitHub Actions workflow for Nix builds
jfroche Oct 3, 2025
333f031
Revert "chores(ci): comment out vestigal testinfra-ami-build"
jfroche Oct 3, 2025
df79c71
feat(ci): eval on blacksmith-32vcpu-ubuntu-2404
jfroche Oct 3, 2025
fee4471
feat: add ephemeral Nix install action for GitHub runners
jfroche Oct 3, 2025
1bbdf90
refactor(ci): extract nix eval into reusable workflow
jfroche Oct 3, 2025
d27ecb5
feat: enable x86_64-linux builds in CI
jfroche Oct 6, 2025
19cdcbc
feat: add PostgreSQL version to GitHub Actions job names
jfroche Oct 6, 2025
424e7b8
fix: disable treefmt flake check
jfroche Oct 6, 2025
994bd62
feat: run actionlint on new GitHub Actions workflows
jfroche Oct 6, 2025
b0067a7
chore: improve github matrix script type annotations
jfroche Oct 6, 2025
8e7744a
feat: optimize CI runner selection based on package size
jfroche Oct 6, 2025
65f4e04
chore: fix package meta maintainers format
jfroche Oct 6, 2025
236ff3b
chore: create a nix package for generating GitHub Actions matrix
jfroche Oct 6, 2025
5672ff9
fix: configure runner according to the matrix job
jfroche Oct 6, 2025
6c1aa19
Update nix-eval-jobs
jfroche Oct 14, 2025
dfa3e75
refactor(ci): standardize nix installation and disable cache push by …
jfroche Oct 27, 2025
7f185c3
feat: use big-parallel to identify large packages
jfroche Oct 27, 2025
6733d10
fix(ci): ensure x86_64-linux build is considered in testinfra and tes…
jfroche Oct 27, 2025
3ad21bf
fix: nix devShell inclusion condition
jfroche Oct 27, 2025
8a4dcf9
fix(ci): eval should fail if github-matrix run fails
jfroche Oct 29, 2025
d2709bc
fix(ci): remove redundant build psql bundle step
yvan-sraka Nov 14, 2025
b0c8818
fix: reduce ARM runner size from 8vcpu to 4vcpu for ephemeral builds
jfroche Nov 14, 2025
19e461b
feat: do not return empty matrices if no package has to be built
jfroche Nov 24, 2025
2fa0622
feat: fail pipeline if nix evaluation fails
jfroche Nov 24, 2025
33662ea
Update nix/ext/pgvector.nix
yvan-sraka Nov 24, 2025
608ada6
fix: add skip job only for systems that don't have any job
jfroche Nov 25, 2025
ef30962
fix(github-matrix): handle evaluation errors without deadlock
jfroche Nov 25, 2025
e513eb8
feat(github-matrix): integrate github-action-utils for better error v…
jfroche Nov 25, 2025
cb95579
feat(github-matrix): group evaluation errors by message
jfroche Nov 25, 2025
021f243
fix(github-matrix): improve multiline error display in GitHub Actions
jfroche Nov 25, 2025
399cfd7
fix(ci): skip run-testinfra and run-tests when nix-eval fails
jfroche Nov 25, 2025
b6d84e6
chore(github-matrix): update message when there are no build for a sy…
jfroche Nov 25, 2025
41e344c
fix(github-matrix): backward compatibility for Result access
jfroche Nov 25, 2025
a694685
refactor: migrate from packages to legacyPackages for PostgreSQL exte…
jfroche Dec 1, 2025
aa9ac48
refactor(nix): remove "-all" suffix from extension package names
jfroche Dec 1, 2025
1cc0103
refactor(ci): split nix build jobs into separate packages and checks …
jfroche Dec 1, 2025
16ec6f8
fix(ci): use depot runners
jfroche Dec 2, 2025
5161d38
chore: test ci performance
jfroche Dec 2, 2025
81df154
Revert "fix(ci): use depot runners"
samrose Dec 4, 2025
47e3fb7
test: trigger full rebuild
samrose Dec 4, 2025
daf3cad
Revert "test: trigger full rebuild"
samrose Dec 4, 2025
1fafab1
tests: drop 1 extension to trigger rebuild
samrose Dec 4, 2025
9bd9a14
test: trigger full rebuild of wrappers
samrose Dec 4, 2025
97cb18d
test: retrigger build
samrose Dec 5, 2025
7df1800
test: re-add oldest to trigger build again
samrose Dec 5, 2025
e3172aa
chore: trigger CI
jfroche Dec 5, 2025
0b8979d
test: retrigger build
samrose Dec 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/actionlint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
self-hosted-runner:
labels:
- aarch64-darwin
- aarch64-linux
- blacksmith-32vcpu-ubuntu-2404
30 changes: 30 additions & 0 deletions .github/actions/nix-install-self-hosted/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: 'Configure Nix on self hosted runners'
description: 'Sets up AWS credentials to push to the Nix binary cache'
inputs:
aws-role-duration:
description: 'AWS role session duration in seconds'
required: false
default: '18000'

runs:
using: 'composite'
steps:
- name: aws-creds
uses: aws-actions/configure-aws-credentials@v4.3.1
with:
disable-retry: true
aws-region: us-east-2
role-to-assume: arn:aws:iam::436098097459:role/nix-artifacts-deploy-role # supabase-dev
role-session-name: gha-oidc-${{ github.run_id }}
role-duration-seconds: ${{ inputs.aws-role-duration }}

- name: Write creds files
shell: bash
run: |
umask 006
cat > /etc/nix/aws/nix-aws-credentials <<EOF
[ci-uploader]
aws_access_key_id = ${AWS_ACCESS_KEY_ID}
aws_secret_access_key = ${AWS_SECRET_ACCESS_KEY}
aws_session_token = ${AWS_SESSION_TOKEN}
EOF
236 changes: 180 additions & 56 deletions .github/workflows/nix-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,77 +14,201 @@ permissions:
contents: write
packages: write

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}

jobs:
build-run-image:
nix-eval:
uses: ./.github/workflows/nix-eval.yml
secrets:
DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}

nix-build-packages-aarch64-linux:
name: >-
${{ matrix.name }}${{ matrix.postgresql_version && format(' - Postgres {0}', matrix.postgresql_version) || '' }}
(aarch64-linux)
needs: nix-eval
runs-on: ${{ matrix.runs_on.group && matrix.runs_on || matrix.runs_on.labels }}
if: ${{ fromJSON(needs.nix-eval.outputs.packages_matrix).aarch64_linux != null }}
strategy:
fail-fast: false
max-parallel: 5
matrix: ${{ fromJSON(needs.nix-eval.outputs.packages_matrix).aarch64_linux }}
steps:
- name: Checkout Repo
if: ${{ matrix.attr != '' }}
uses: actions/checkout@v4
- name: Install nix (ephemeral)
if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
uses: ./.github/actions/nix-install-ephemeral
with:
push-to-cache: 'true'
env:
DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
- name: Install nix (self-hosted)
if: ${{ matrix.attr != '' && matrix.runs_on.group == 'self-hosted-runners-nix' }}
uses: ./.github/actions/nix-install-self-hosted
- name: nix build
if: ${{ matrix.attr != '' }}
shell: bash
run: nix build --accept-flake-config -L .#${{ matrix.attr }}

nix-build-checks-aarch64-linux:
name: >-
${{ matrix.name }}${{ matrix.postgresql_version && format(' - Postgres {0}', matrix.postgresql_version) || '' }}
(aarch64-linux)
needs: [nix-eval, nix-build-packages-aarch64-linux]
runs-on: ${{ matrix.runs_on.group && matrix.runs_on || matrix.runs_on.labels }}
if: ${{ fromJSON(needs.nix-eval.outputs.checks_matrix).aarch64_linux != null }}
strategy:
fail-fast: false
max-parallel: 5
matrix: ${{ fromJSON(needs.nix-eval.outputs.checks_matrix).aarch64_linux }}
steps:
- name: Checkout Repo
if: ${{ matrix.attr != '' }}
uses: actions/checkout@v4
- name: Install nix (ephemeral)
if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
uses: ./.github/actions/nix-install-ephemeral
with:
push-to-cache: 'true'
env:
DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
- name: Install nix (self-hosted)
if: ${{ matrix.attr != '' && matrix.runs_on.group == 'self-hosted-runners-nix' }}
uses: ./.github/actions/nix-install-self-hosted
- name: nix build
if: ${{ matrix.attr != '' }}
shell: bash
run: nix build --accept-flake-config -L .#${{ matrix.attr }}

nix-build-packages-aarch64-darwin:
name: >-
${{ matrix.name }}${{ matrix.postgresql_version && format(' - Postgres {0}', matrix.postgresql_version) || '' }}
(aarch64-darwin)
needs: nix-eval
runs-on: ${{ matrix.attr != '' && matrix.runs_on.group && matrix.runs_on || matrix.runs_on.labels }}
if: ${{ fromJSON(needs.nix-eval.outputs.packages_matrix).aarch64_darwin != null }}
strategy:
fail-fast: false
max-parallel: 5
matrix: ${{ fromJSON(needs.nix-eval.outputs.packages_matrix).aarch64_darwin }}
steps:
- name: Checkout Repo
if: ${{ matrix.attr != '' }}
uses: actions/checkout@v4
- name: Install nix
if: ${{ matrix.attr != '' }}
uses: ./.github/actions/nix-install-self-hosted
- name: nix build
if: ${{ matrix.attr != '' }}
shell: bash
run: nix build --accept-flake-config -L .#${{ matrix.attr }}

nix-build-checks-aarch64-darwin:
name: >-
${{ matrix.name }}${{ matrix.postgresql_version && format(' - Postgres {0}', matrix.postgresql_version) || '' }}
(aarch64-darwin)
needs: [nix-eval, nix-build-packages-aarch64-darwin]
runs-on: ${{ matrix.attr != '' && matrix.runs_on.group && matrix.runs_on || matrix.runs_on.labels }}
if: ${{ fromJSON(needs.nix-eval.outputs.checks_matrix).aarch64_darwin != null }}
strategy:
fail-fast: false
max-parallel: 5
matrix: ${{ fromJSON(needs.nix-eval.outputs.checks_matrix).aarch64_darwin }}
steps:
- name: Checkout Repo
if: ${{ matrix.attr != '' }}
uses: actions/checkout@v4
- name: Install nix
if: ${{ matrix.attr != '' }}
uses: ./.github/actions/nix-install-self-hosted
- name: nix build
if: ${{ matrix.attr != '' }}
shell: bash
run: nix build --accept-flake-config -L .#${{ matrix.attr }}

nix-build-packages-x86_64-linux:
name: >-
${{ matrix.name }}${{ matrix.postgresql_version && format(' - Postgres {0}', matrix.postgresql_version) || '' }}
(x86_64-linux)
needs: nix-eval
runs-on: ${{ matrix.attr != '' && matrix.runs_on.group && matrix.runs_on || matrix.runs_on.labels }}
if: ${{ fromJSON(needs.nix-eval.outputs.packages_matrix).x86_64_linux != null }}
strategy:
fail-fast: false
matrix:
include:
- runner: blacksmith-32vcpu-ubuntu-2404
arch: amd64
- runner: blacksmith-32vcpu-ubuntu-2404-arm
arch: arm64
- runner: macos-latest-xlarge
arch: arm64
runs-on: ${{ matrix.runner }}
timeout-minutes: 180
max-parallel: 5
matrix: ${{ fromJSON(needs.nix-eval.outputs.packages_matrix).x86_64_linux }}
steps:
- name: Checkout Repo
uses: supabase/postgres/.github/actions/shared-checkout@HEAD
- uses: ./.github/actions/nix-install-ephemeral
if: ${{ matrix.attr != '' }}
uses: actions/checkout@v4
- name: Install nix
if: ${{ matrix.attr != '' }}
uses: ./.github/actions/nix-install-ephemeral
with:
push-to-cache: ${{ github.secret_source == 'Actions' && 'true' || 'false' }}
push-to-cache: 'true'
env:
DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
- name: Aggressive disk cleanup for DuckDB build
if: matrix.runner == 'macos-latest-xlarge'
run: |
nix --version
echo "=== BEFORE CLEANUP ==="
df -h
# Remove major space consumers
sudo rm -rf /usr/share/dotnet || true
sudo rm -rf /usr/local/lib/android || true
sudo rm -rf /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform || true
sudo rm -rf /Applications/Xcode.app/Contents/Developer/Platforms/watchOS.platform || true
sudo rm -rf /Applications/Xcode.app/Contents/Developer/Platforms/tvOS.platform || true
# Clean everything possible
sudo rm -rf /opt/ghc || true
sudo rm -rf /usr/local/share/boost || true
sudo rm -rf /opt/homebrew || true
sudo xcrun simctl delete all 2>/dev/null || true
# Aggressive cache cleanup
sudo rm -rf /System/Library/Caches/* 2>/dev/null || true
sudo rm -rf /Library/Caches/* 2>/dev/null || true
sudo rm -rf ~/Library/Caches/* 2>/dev/null || true
sudo rm -rf /private/var/log/* 2>/dev/null || true
sudo rm -rf /tmp/* 2>/dev/null || true
echo "=== AFTER CLEANUP ==="
df -h
-
name: Build psql bundle
run: >
nix run "github:Mic92/nix-fast-build?rev=b1dae483ab7d4139a6297e02b6de9e5d30e43d48"
-- --skip-cached --no-nom ${{ matrix.runner == 'macos-latest-xlarge' && '--max-jobs 1' || '' }} --copy-to "s3://nix-postgres-artifacts?secret-key=/etc/nix/nix-secret-key"
--flake ".#checks.$(nix eval --raw --impure --expr 'builtins.currentSystem')"
- name: nix build
if: ${{ matrix.attr != '' }}
shell: bash
run: nix build --accept-flake-config -L .#${{ matrix.attr }}

nix-build-checks-x86_64-linux:
name: >-
${{ matrix.name }}${{ matrix.postgresql_version && format(' - Postgres {0}', matrix.postgresql_version) || '' }}
(x86_64-linux)
needs: [nix-eval, nix-build-packages-x86_64-linux]
runs-on: ${{ matrix.attr != '' && matrix.runs_on.group && matrix.runs_on || matrix.runs_on.labels }}
if: ${{ fromJSON(needs.nix-eval.outputs.checks_matrix).x86_64_linux != null }}
strategy:
fail-fast: false
max-parallel: 5
matrix: ${{ fromJSON(needs.nix-eval.outputs.checks_matrix).x86_64_linux }}
steps:
- name: Checkout Repo
if: ${{ matrix.attr != '' }}
uses: actions/checkout@v4
- name: Install nix
if: ${{ matrix.attr != '' }}
uses: ./.github/actions/nix-install-ephemeral
with:
push-to-cache: 'true'
env:
AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }}
DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
- name: nix build
if: ${{ matrix.attr != '' }}
shell: bash
run: nix build --accept-flake-config -L .#${{ matrix.attr }}

run-testinfra:
needs: build-run-image
if: ${{ success() }}
needs: [nix-eval, nix-build-packages-aarch64-linux, nix-build-checks-aarch64-linux, nix-build-packages-aarch64-darwin, nix-build-checks-aarch64-darwin, nix-build-packages-x86_64-linux, nix-build-checks-x86_64-linux]
if: |
!cancelled() &&
needs.nix-eval.result == 'success' &&
(needs.nix-build-packages-aarch64-linux.result == 'skipped' || needs.nix-build-packages-aarch64-linux.result == 'success') &&
(needs.nix-build-checks-aarch64-linux.result == 'skipped' || needs.nix-build-checks-aarch64-linux.result == 'success') &&
(needs.nix-build-packages-aarch64-darwin.result == 'skipped' || needs.nix-build-packages-aarch64-darwin.result == 'success') &&
(needs.nix-build-checks-aarch64-darwin.result == 'skipped' || needs.nix-build-checks-aarch64-darwin.result == 'success') &&
(needs.nix-build-packages-x86_64-linux.result == 'skipped' || needs.nix-build-packages-x86_64-linux.result == 'success') &&
(needs.nix-build-checks-x86_64-linux.result == 'skipped' || needs.nix-build-checks-x86_64-linux.result == 'success')
uses: ./.github/workflows/testinfra-ami-build.yml
secrets:
DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}

run-tests:
needs: build-run-image
if: ${{ success() }}
needs: [nix-eval, nix-build-packages-aarch64-linux, nix-build-checks-aarch64-linux, nix-build-packages-aarch64-darwin, nix-build-checks-aarch64-darwin, nix-build-packages-x86_64-linux, nix-build-checks-x86_64-linux]
if: |
!cancelled() &&
needs.nix-eval.result == 'success' &&
(needs.nix-build-packages-aarch64-linux.result == 'skipped' || needs.nix-build-packages-aarch64-linux.result == 'success') &&
(needs.nix-build-checks-aarch64-linux.result == 'skipped' || needs.nix-build-checks-aarch64-linux.result == 'success') &&
(needs.nix-build-packages-aarch64-darwin.result == 'skipped' || needs.nix-build-packages-aarch64-darwin.result == 'success') &&
(needs.nix-build-checks-aarch64-darwin.result == 'skipped' || needs.nix-build-checks-aarch64-darwin.result == 'success') &&
(needs.nix-build-packages-x86_64-linux.result == 'skipped' || needs.nix-build-packages-x86_64-linux.result == 'success') &&
(needs.nix-build-checks-x86_64-linux.result == 'skipped' || needs.nix-build-checks-x86_64-linux.result == 'success')
uses: ./.github/workflows/test.yml
38 changes: 38 additions & 0 deletions .github/workflows/nix-eval.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: Nix Eval

on:
workflow_call:
outputs:
packages_matrix:
description: 'Generated build matrix for packages'
value: ${{ jobs.eval.outputs.packages_matrix }}
checks_matrix:
description: 'Generated build matrix for checks'
value: ${{ jobs.eval.outputs.checks_matrix }}
secrets:
DEV_AWS_ROLE:
required: false
NIX_SIGN_SECRET_KEY:
required: false

jobs:
eval:
runs-on: blacksmith-32vcpu-ubuntu-2404
outputs:
packages_matrix: ${{ steps.set-matrix.outputs.packages_matrix }}
checks_matrix: ${{ steps.set-matrix.outputs.checks_matrix }}
steps:
- name: Checkout Repo
uses: actions/checkout@v4
- name: Install nix
uses: ./.github/actions/nix-install-ephemeral
with:
push-to-cache: 'true'
env:
DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
- id: set-matrix
name: Generate Nix Matrix
run: |
set -Eeu -o pipefail
nix run --accept-flake-config .\#github-matrix -- checks legacyPackages
Loading
Loading